regsvr.exe

The executable regsvr.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Msn Messsenger’. While running, it connects to the Internet address roo.hc.ru on port 80 using the HTTP protocol.
MD5:
c0453d688ae12c9bd415dd15ecbcf196

SHA-1:
b5bc43eb4806183342623d9d139356fb813e77cc

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
11/14/2024 3:19:10 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Sality
160917-0

Dr.Web
Trojan.Click1.37970
9.0.1.05190

F-Prot
W32/Trojan2.DFYJ
4.6.5.141

F-Secure
IM-Worm:W32/Sohanad.HM
5.16.24

Kaspersky
Worm.Win32.AutoRun
15.0.2.529

File size:
771.5 KB (789,987 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Windows\System32\regsvr.exe

File PE Metadata
Compilation timestamp:
11/25/2007 6:21:46 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0xA5001

Entry point:
60, 2B, D2, 52, FF, 15, 60, 5F, 4A, 00, 51, 68, B0, 27, 9D, 03, E8, 58, 02, 00, 00, 59, 5A, E8, 20, 00, 00, 00, 93, 35, 97, 27, E4, BD, 98, 36, 91, 9C, 93, 27, 85, 58, C3, B5, 9E, 1A, 61, 72, 8D, 97, AF, 2C, CD, 0A, 55, EB, 04, 76, 59, 8C, 6A, 2D, 68, D0, 06, FD, 08, E8, 25, 02, 00, 00, 58, 59, 59, 81, FD, 50, 40, 3F, 08, EB, 01, 7F, 84, D5, 11, E8, 73, 12, 52, C6, C0, 6F, C6, C0, 86, F3, 0F, BC, FE, 0F, A4, F7, AF, 5D, D2, F8, 81, C1, 77, 5F, 00, 00, 86, C3, 8B, C5, 11, E8, 81, C1, 6C, AA, 05, 00, F7, D0...
 
[+]

Code size:
404.5 KB (414,208 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Msn Messsenger

Command:
C:\Windows\System32\regsvr.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to w00.rzone.de  (81.169.145.64:80)

TCP (HTTP):
Connects to roo.hc.ru  (89.111.173.121:80)

TCP (HTTP):
Connects to ns1571.webempresa.eu  (5.135.78.248:80)

TCP (HTTP):
Connects to b12.rzone.de  (85.214.5.18:80)

Remove regsvr.exe - Powered by Reason Core Security